Privacy Policy

In accordance with the Spanish Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE), we provide the following mandatory information regarding the data controller:

a. Company Name: Klozo AI Solutions (referred to as "Klozo").

b. Registered Office: Málaga, Spain.

c. NIF/Tax ID: [Pending Assignment].

d. Contact Email: privacy@klozo.io

e. Primary Activity: Development and commercialization of AI-powered contract analysis and auditing software.

We collect and process various categories of data to provide and improve our Services:

a. Account and Identity Data: This includes your name, professional email address, and authentication credentials used to access the Dashboard.

b. Service Usage Data: We collect information on how you interact with our platform, such as features accessed, time spent on specific modules, and general navigation patterns.

c. Contractual and Document Data: This refers to the files or text you upload to the Klozo Dashboard for analysis. In this context, Klozo acts as a Data Processor, and you (the user or your organization) remain the Data Controller.

d. Technical and Log Data: IP addresses, device identifiers, browser type, and operating system information are collected for security monitoring and performance optimization.

Our processing of your personal data is grounded in the following legal bases under the GDPR:

a. Performance of a Contract (Art. 6.1.b GDPR): To provide the core contract analysis services, manage your account, and provide technical support.

b. Consent (Art. 6.1.a GDPR): To send you "The Klozo Brief" newsletter and other optional marketing communications where you have explicitly opted in.

c. Legitimate Interest (Art. 6.1.f GDPR): To ensure the security of our infrastructure, prevent fraudulent activities, and perform internal research to improve our AI algorithms.

d. Legal Obligation (Art. 6.1.c GDPR): To comply with tax, commercial, and other regulatory requirements applicable in Spain and the European Union.

e. Aggregated and Anonymized Data: We may process personal data to create aggregated datasets that do not identify any individual. This data is used for internal research, improving our auditing logic, and providing industry benchmarks. Once anonymized, this data is no longer personal data, and Klozo owns it exclusively.

Klozo is built on advanced Artificial Intelligence. In compliance with the transparency requirements of the EU AI Act:

a. Automated Analysis: The summaries and "Red Flags" provided are generated by AI. These outputs are probabilistic and intended for informational purposes only.

b. Zero-Training Guarantee: We implement a strict zero-training policy. We do not use your raw, identifiable contract content to train any Large Language Models (LLMs), including those provided by our infrastructure partners. Your data remains isolated within our secure processing environment.

c. Human-in-the-loop: We strongly recommend that all AI-generated insights undergo review by a qualified legal professional before being used for formal legal decisions.

We do not sell your personal data. We only share it with trusted third-party sub-processors necessary for the delivery of our Services:

a. Infrastructure & Hosting: Supabase (Database and File Storage) and Vercel (Frontend Delivery).

b. Email Communications: Resend (Transactional and Marketing email delivery).

c. AI Infrastructure: Google Gemini is our sole AI infrastructure provider. All document data is processed through secure enterprise API channels. Under our configuration, we enforce a strict Zero-Training policy: your document content and prompts are never used to train or improve Google’s public Large Language Models.

d. Legal Requirements: We may disclose data if required to do so by a court order, subpoena, or formal request from competent Spanish or European Union authorities, provided such requests meet necessary legal thresholds.

While we prioritize EEA-based processing where available, some data may be processed in the United States. To ensure your protection, we only partner with providers that adhere to the EU-U.S. Data Privacy Framework or utilize Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring a level of data protection equivalent to the GDPR.

We retain your data only for as long as necessary to fulfill the purposes for which it was collected:

a. Active Accounts: Contractual data is stored as long as your account remains active and you maintain a subscription.

b. Account Deletion: Upon request, we will delete your personal data. A secure backup may persist for up to 30 days before permanent erasure.

c. Legal Archive: Basic transactional records and tax-related data are retained for up to 6 years to comply with Spanish commercial and fiscal laws.

We implement robust technical and organizational measures to protect your data:

a. Encryption: All data is encrypted in transit via TLS and at rest using AES-256 encryption standards.

b. Access Control: We enforce a strict "least-privilege" access model for our internal systems.

c. Regular Audits: We perform periodic security assessments and monitor our sub-processors for ongoing compliance.

As a data subject, you have the following rights, which you can exercise by emailing privacy@klozo.io:

a. Right of Access: To obtain confirmation as to whether or not your data is being processed.

b. Right to Rectification: To correct inaccurate or incomplete personal data.

c. Right to Erasure: To request the deletion of your data when it is no longer necessary for the purposes for which it was collected.

d. Right to Object: To object to processing based on legitimate interest or for direct marketing.

e. Right to Data Portability: To receive your data in a structured, commonly used, and machine-readable format.

While Klozo is primarily governed by the GDPR, we respect the privacy rights of residents in US states with comprehensive privacy laws (such as California). We do not "sell" your personal information to third parties, and we provide you with the same rights to access and deletion as required by EU law.

Our website and dashboard use cookies to enhance user experience and analyze performance:

a. Essential Cookies: Necessary for the technical functionality of the site, such as maintaining your login session.

b. Analytics Cookies: We use privacy-preserving analytics to understand site usage without identifying individual users.

c. Preference Management: You can manage or disable cookies through your browser settings, though some features of the service may be limited.

Our platform may contain links to third-party websites or services that are not owned or controlled by Klozo. We are not responsible for the privacy practices or the content of these third parties, and we encourage you to review their policies separately.

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take immediate steps to delete such information from our systems.

In the event that Klozo is involved in a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email or a prominent notice on our platform before your data is transferred and becomes subject to a different privacy policy.

We may update this Privacy Policy to reflect changes in our practices or legal requirements:

a. Notification: Significant changes will be communicated via email or through a prominent notice on the Klozo Dashboard.

b. Versioning: All previous versions of this policy are archived and accessible via our Privacy Archive for transparency.